[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: delta CRLs - NR assumptions

To: "'ietf-pkix@xxxxxxx'" <ietf-pkix@xxxxxxx>
Subject: RE: delta CRLs - NR assumptions
From: "Manger, James H" <James.H.Manger@xxxxxxxxxxxxxxxx>
Date: Fri, 15 Jun 2001 13:33:19 +1000
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

> [Denis] "What about when they are two differents sets of evidence from the same relying party which are both valid (according to the way to use CRLs) but are contradictory ? "

[James] No problem. The relying party chooses which ever set they want. [The subscriber may know a different set of evidence was available, but how can they know that the relying party had it? They cannot.]

> [Denis] "I see a problem here. If you use delta-CRls, full CRL only or OCSP (from the same CA) you do not necessarily get the same result. For a given signature policy, allowing only one means to obtain the revocation status would allow to make sure that everydody gets the same information."

[James] There is no requirement that everyone gets the same result. NR is a statement by a subscriber such as "I agree to X if you can produce evidence that matches rules Y". *Any* evidence matching the rules is sufficient, regardless of any other sets of evidence.

> [Denis] "In other words, it will be necessary to wait to make sure that a report of key compromise can be done. "

[James] Yes, for many applications.

Follow-Ups:
- RE: delta CRLs - NR assumptions
  - From: Tony Bartoletti

Prev by Date: Re: Online Certificate Revocation Protocol
Next by Date: I-D ACTION:draft-ietf-pkix-new-part1-07.txt
Previous by thread: Re: delta CRLs - NR assumptions
Next by thread: RE: delta CRLs - NR assumptions
Index(es):
- Date
- Thread